40 lines
804 B
Plaintext
40 lines
804 B
Plaintext
Passing user input into a command is always a potentially risky proposition, but it is particularly risky when you're allowing the user to name where control should be transferred.
|
|
|
|
|
|
This rule raises an issue any time user input or web input is used in the transfer of control.
|
|
|
|
|
|
== Noncompliant Code Example
|
|
|
|
[source,text]
|
|
----
|
|
ACCEPT NAME.
|
|
EXEC CICS
|
|
LINK PROGRAM(NAME) *> Noncompliant
|
|
COMMAREA(COMM)
|
|
LENGTH(LEN)
|
|
DATALENGTH(LEND)
|
|
SYSID('HELP')
|
|
END-EXEC.
|
|
|
|
*> ...
|
|
|
|
EXEC CICS
|
|
WEB READ
|
|
FORMFIELD(NAME)
|
|
VALUE(PNAME)
|
|
END-EXEC.
|
|
|
|
EXEC CICS
|
|
LINK PROGRAM(pNAME) *> Noncompliant
|
|
*> ...
|
|
END-EXEC
|
|
----
|
|
|
|
|
|
== See
|
|
|
|
* https://www.owasp.org/index.php/Top_10-2017_A1-Injection[OWASP Top 10 2017 Category A1] - Injection
|
|
* https://cwe.mitre.org/data/definitions/114[MITRE, CWE-114] - Process Control
|
|
|